Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 8 May 2007 14:23:34 -0400 (EDT)
From:      Gardner Bell <gbell72@rogers.com>
To:        iaccounts@ibctech.ca
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: IPFW and NATD problem
Message-ID:  <458115.4028.qm@web88002.mail.re2.yahoo.com>
In-Reply-To: <200705081221.46248.lists@jnielsen.net>

next in thread | previous in thread | raw e-mail | index | archive | help

--- Steve Bertrand <iaccounts@ibctech.ca> wrote:

Gardner Bell wrote:
> Hi all,
> 
> I've been following the IPFW section in the handbook and
/etc/rc.firewall to try and setup a gateway for my home LAN but I'm
having a bit of trouble getting access to the internet.  My network
setup looks like so.
> 
> 192.168.x.x                     bge1 - 192.168.x.x       bge0 x.x.x.x
>
--LAN------------Switch---------FreeBSD-------------------------------ISP
> 
> Bge0 successfully receives an IP from my ISP's DHCP server and I can
ping the LAN without any issues.  When it comes to accessing the
internet I get a hostname lookup failure.
> 
> Any help resolving this is greatly appreciated.
> 
> 
> Gardner 
> 
> mx1# ipfw list
> 00100 allow ip from any to any via lo0
> 00200 deny ip from any to 127.0.0.0/8
> 00300 deny ip from 127.0.0.0/8 to any
> 00400 deny ip from 192.168.1.0/24 to any in via bge0      
> 00500 deny log logamount 3 ip from x.x.x.x/25 to any in via bge1
> 00600 deny ip from any to 10.0.0.0/8 via bge0     
> 00700 deny ip from any to 172.16.0.0/12 via bge0             
> 00800 deny ip from any to 192.168.0.0/16 via bge0
> 00900 deny ip from any to 0.0.0.0/8 via bge0       
> 01000 deny ip from any to 169.254.0.0/16 via bge0 
> 01100 deny ip from any to 192.0.2.0/24 via bge0        
> 01200 deny ip from any to 224.0.0.0/4 via bge0     
> 01300 deny ip from any to 240.0.0.0/4 via bge0   
>
> 01400 divert 8668 ip from any to any in via bge0  
>
> What happens if you switch the above line to bge1, as opposed to
bge0?

I am able to ping the internet if I change my divert rule to bge1 but
lose any connectivity to the LAN.  I can only ping 192.168.1.1 ie: bge1

> I haven't used natd in a couple years, but from what I can tell, you
are
> trying to divert packets that are inbound from the Internet, as
opposed
> to diverting packets from the LAN.

Ok..I was pretty sure that natd_interface had to be set to the nic
facing the internet as the manual and /etc/defaults/rc.conf mention.

>
> What does /etc/natd.conf state?

Don't have an /etc/natd.conf as of yet but I'm using -deny_incoming in
natd_flags.  The natd command shows:

/sbin/natd -deny_incoming -dynamic -n bge0

> If the above does not work, perhaps you could start with a
minimalistic
> ruleset, having only allow rules, and then a blanket rule to deny at
the
> bottom?

I'll give that a try.

> Steve

Gardner 

ps: I'm not subscribed to the list..hope I didn't munge the quotes up
too bad.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?458115.4028.qm>